Companies should not forget to keep an eye on internal threats when securing the enterprise.

That was the overarching theme for several speakers at IDC Asia/Pacific's SecurityVision 2008 conference on Tuesday.

Song Haiyan, vice president of engineering at ArcSight, quoted figures from a 2006 InfoPro survey, saying 72 percent of Fortune 1000 organisations worry about insider threats at least as much as external security breaches.

Increasingly, security issues revolve around employee activity, she said, noting a trend for many enterprises to buy a broad portfolio of security products, but with little focus on weak security areas.

"Don't buy too much. Start with a good foundation around your [existing security] assets" before patching weak spots, she advised.

Another area of vulnerability comes with the advent of web applications, said Citrix Systems' Asean area vice president, Yaj Malik.

Malik said most targeted hacker activity today focuses on customised web applications, which include internally developed and customised package applications. According to Malik, these are "extremely hard to write securely" and lack signatures or patches, causing the "traditional security paradigm [to] fall apart".

Elaborating, he said this "traditional security paradigm" is a reactive one, where patches and signatures are issued only after a hole is discovered. With no signature or patch-management cycle for many of these web applications, they offer "untraceable access to sensitive data".

Yet, despite the vulnerabilities associated with users and applications, 75 percent of most enterprise security investments are focused at the network level, while, conversely, 75 percent of attacks are focused at the application level, said Malik.

Malik said that securing the endpoint assumes programmers write perfect software, free of security leaks. However, he added that bugs exist in all software, and it is due to these that data breaches occur.

Ieta Chi, Asia-Pacific director of business development at Trend Micro, echoed the words of the previous speakers.

Quoting research from Market Research International, he said the top three reasons for enterprise security leaks, in descending order, are: employees copying files out of office systems, corporate email breaches and leaks from email accessed on public internet terminals.

Chi noted that all three examples are employee-related. As such, this potentially negates the efficacy of data encryption, since encryption protects against unauthorised access, and does not pose a barrier for authorised employees.

Quoting a 2006 study by US research firm the Ponemon Institute, Chi said: "78 percent of data breaches come from authorised insiders."